https://www.rsaconference.comhttps://www.rsaconference.com/rss/blogs.rss
RSA Conference BlogThe latest news and info from RSA Conference2016 RSA ConferenceGenericen-USFri, 09 Dec 2016 10:01:32 ESTBoards of Directors Are Driven Primarily by Compliance, Not FearWed, 09 Nov 2016 12:00:00 EST Cybersecurity and risk are hot topics in the boardroom. Board members are increasingly asking CISOs to explain how they are protecting the company so that they can make informed cybersecurity decisions. In June 2016, we released a report, <em><a href="http://baydynamics.com/resources/how-boards-of-directors-really-feel-about-cyber-security-reports">How Boards of Directors Really Feel About Cyber Security Reports</a></em> that illustrated the increasing pressure for CISOs to present understandable and actionable information to the board. Board members said that cyber risk was the highest priority outweighing other operational risks such as financial, legal, regulatory and competitive risks. That finding…https://www.rsaconference.com/blogs/boards-of-directors-are-driven-primarily-by-compliance-not-fearhttps://www.rsaconference.com/blogs/boards-of-directors-are-driven-primarily-by-compliance-not-fear
Ryan StolteThe Longevity Challenge in InfosecTue, 04 Oct 2016 12:00:00 EDT In a <a href="http://www.bankinfosecurity.com/interviews/us-cio-federal-funding-process-played-key-role-in-opm-hack-i-3316">recent BankInfoSecurity article</a>, U.S. Federal Chief Information Officer Tony Scott was quoted as saying one of the main factors behind the OPM breach was the tendency of Congress to “fund civilian agencies to maintain their information systems, not to modernize them.” This is endemic both in the public sector and in other organizations <a href="http://idoneous-security.blogspot.com/2011/12/security-poverty-line-and-junk-food.html">below the security poverty line</a>, which I started writing about in 2011. But before everyone gets out the smelling salts at the idea that organizations don’t update their systems, let’s examine the source of this reaction. In IT, we’ve come to accept the…https://www.rsaconference.com/blogs/the-longevity-challenge-in-infosechttps://www.rsaconference.com/blogs/the-longevity-challenge-in-infosec
Wendy NatherGetting Everyone on Board with CybersecurityFri, 16 Sep 2016 12:00:00 EDT It’s shocking to those of us who work in the industry, but people still do not take cybersecurity seriously. How many people do you work with who still use “abc1234!” as a password? Or say things like “I haven’t updated my phone’s OS in months?” Many think of cybersecurity like a home defense system. You push a button, and the house (your organization) is secure. That’s not the case. Imagine if, in the above scenario, someone left a window open. Even though you armed the security system, your home isn’t secure due to the action of someone else. Cybersecurity is much more team-oriented than…https://www.rsaconference.com/blogs/getting-everyone-on-board-with-cybersecurityhttps://www.rsaconference.com/blogs/getting-everyone-on-board-with-cybersecurity
Steve SheckDo Data Breaches Affect Company Value? Fri, 29 Jul 2016 12:00:00 EDT With malware growing more prevalent, possibly nearing 600 million samples in 2016, the average cost of a data breach has been <a href="http://businessinsights.bitdefender.com/security-breaches-becoming-more-costly">estimated</a> to reach $4 million. Gartner, which had estimated worldwide spending on information security reaching $75.4 billion in 2015, sees a 26 percent probability that a company will experience one or more data breaches within a 24-hour period. While fixing a data breach has quantifiable costs that translate into increased security budgets and investing more in security technologies and personnel, a company’s value is rarely evaluated after such incidents. Studies…https://www.rsaconference.com/blogs/do-data-breaches-affect-company-valuehttps://www.rsaconference.com/blogs/do-data-breaches-affect-company-value
Liviu ArseneHow Cybersecurity Impacts Customer LoyaltyTue, 21 Jun 2016 12:00:00 EDT When it comes to banking, e-commerce and other online activities, fraud is one of consumers’ top concerns. In fact, insights from a recent <a href="http://www.firstannapolis.com/news/threatmetrix-uncovers-14-9-billion-yearly-loss-due-to-consumer-friction-and-fraud-attrition">First Annapolis</a> and ThreatMetrix consumer study showed that more than half of consumers (55 percent) are extremely concerned about the risks of banking and payments-related fraud, with 46 percent indicating their fraud concerns have increased in the past two years. Given this consumer sentiment, cybercrime and other related attacks can have a detrimental impact on consumer sentiment toward banks. <strong>Consumers’ digital-first preference makes cybersecurity…</strong>https://www.rsaconference.com/blogs/how-cybersecurity-impacts-customer-loyaltyhttps://www.rsaconference.com/blogs/how-cybersecurity-impacts-customer-loyalty
Alisdair FaulknerSmall Business: Wake Up to Growing Cyber ThreatsFri, 03 Jun 2016 12:00:00 EDT A few months ago, <a href="https://rokenbokeducation.org/" target="_blank">Rokenbok Education</a>, a Solana Beach, Calif., maker of educational toys, was facing perhaps the quintessential nightmare of the 21 st century. Cyber criminals had encrypted the company’s computer files, rendering them useless. The hackers were deploying ransomware. If Rokenbok wanted the data unlocked, it would have to pay a ransom. As the <a href="http://www.nytimes.com/2016/01/14/business/smallbusiness/no-business-too-small-to-be-hacked.html?_r=0" target="_blank">New York Times</a> reported, the company ultimately managed to find a creative way out, sidestepping the ransom by laboriously reconstructing its key systems. This was, in fact, the company’s second cybersecurity battle, and it underscores a fact…https://www.rsaconference.com/blogs/small-business-wake-up-to-growing-cyber-threatshttps://www.rsaconference.com/blogs/small-business-wake-up-to-growing-cyber-threats
Robert Ackerman Jr.What Do Hackers Want from Professional Sports Teams?Thu, 02 Jun 2016 12:00:00 EDT <em>By Mike Patterson, <em>Vice President of Strategy, Rook Security</em></em> Recently, the Milwaukee Bucks basketball organization went public with a <a href="http://www.si.com/nba/2016/05/19/milwaukee-bucks-players-financial-data-leak-email-scam" target="_blank">successful W-2 phishing attack</a> that targeted its players and employees. While this is probably not the first attack of its kind, it is a new known data point in attacks against sports teams. In 2015, incidents targeted baseball player scouting data (involving the <a href="http://sports.yahoo.com/blogs/mlb-big-league-stew/the-details-in-the-cardinals-astros-hacking-scandal-are-insane-211314578.html" target="_blank">St. Louis Cardinals and the Houston Astros</a>), and the bloodwork of Tour De France champion <a href="http://www.cyclingnews.com/news/tour-de-france-froomes-data-files-believed-to-be-hacked/" target="_blank">Chris Froome</a> from Team Sky. It appears that now someone has finally realized most team employees are millionaires…https://www.rsaconference.com/blogs/what-do-hackers-want-from-professional-sports-teamshttps://www.rsaconference.com/blogs/what-do-hackers-want-from-professional-sports-teams
Rook SecuritySaying Goodbye: Managing Security for Departing PersonnelFri, 27 May 2016 12:00:00 EDT By Kenneth Morrison, <em>Principal, Morrison Consulting</em> Personnel departures are a daily occurrence for large organizations, and small and medium-sized organizations need to manage them on a regular basis. The RSA Conference 2016 Peer2Peer session <em><a href="/events/us16/agenda/sessions/2654/saying-goodbye-managing-security-for-departing">Saying Goodbye: Managing Security for Departing Personnel</a></em> provided the opportunity for a great group of 25 attendees to talk to each other in a small session about managing security for something we all share in common. By the term “<em>organization</em>” we include both companies and other types of organizations, such as government and NGO’s, Non-Governmental…https://www.rsaconference.com/blogs/saying-goodbye-managing-security-for-departing-personnelhttps://www.rsaconference.com/blogs/saying-goodbye-managing-security-for-departing-personnel
RSAC ContributorThere is Such a Thing as Security Return on Investment: Well, Sort ofTue, 01 Mar 2016 12:00:00 EST Having spent a fair amount of time with critical infrastructure operators, I’ve gotten used to the groans and eye rolls I receive when I try to explain why they need to spend more money on cybersecurity. Whether it’s to satisfy a compliance requirement or to reduce the risk of a cyber attack by some incalculable amount, the common perception is that we’re getting in the way of a profitable business. “All this effort without generating a single megawatt of power” was one operator’s lament. And I can certainly sympathize with that feeling. Nonetheless, it’s undeniable that critical…https://www.rsaconference.com/blogs/there-is-such-a-thing-as-security-return-on-investment-well-sort-ofhttps://www.rsaconference.com/blogs/there-is-such-a-thing-as-security-return-on-investment-well-sort-of
Gib SoreboBreaking Through to Users for Better Security, Inside OutTue, 16 Feb 2016 12:00:00 EST In today’s world of big data, some of the most valuable information you can collect is simple insight into the people you’re trying to protect. Your users are all different, and to reach them you need to tailor your messages to address their individual interests, concerns, and needs. That’s where “personas” come in—by developing profiles of various types of users you can learn how to communicate with them more effectively and address any resistance they may have. Here are four sample personas, with ideas on how to best to reach them regarding security. <strong>Meaghan, your CEO:</strong> Meaghan has been a CEO…https://www.rsaconference.com/blogs/breaking-through-to-users-for-better-security-inside-outhttps://www.rsaconference.com/blogs/breaking-through-to-users-for-better-security-inside-out
Jack DanahyThink Security Is Expensive? Insecurity Costs Much MoreFri, 23 Oct 2015 12:00:00 EDT Security has come a long way over the past decade. It is still the red-headed step child of the business units but at least most organizations have some sort of CSO or CISO role in place and do a good job feigning support for security. Businesses that focus on squeaking by spending as little as possible on security, though, are bound to find out the hard way just how expensive a lack of security can be. Organizations take security more seriously these days—thanks in large part to compliance mandates like SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), …https://www.rsaconference.com/blogs/think-security-is-expensive-insecurity-costs-much-morehttps://www.rsaconference.com/blogs/think-security-is-expensive-insecurity-costs-much-more
Tony BradleyWhy It Costs More to Protect Your Virtual InfrastructureMon, 19 Oct 2015 12:00:00 EDT Security incidents are expensive, but not all security incidents are created equally. A <a href="https://press.kaspersky.com/files/2015/08/IT_Risks_Survey_Report_Virtualization.pdf">recent study found</a> that businesses pay a significant premium for incident response and recovery affecting a virtual infrastructure. Respondents representing more than 5,500 different companies across 25 different countries participated in the survey. The purpose of the survey was to learn more about the cost of security incidents and incident recovery and what impact virtual servers or a virtual infrastructure have on those costs. The study found that 62 percent of businesses use virtualization in some form…https://www.rsaconference.com/blogs/why-it-costs-more-to-protect-your-virtual-infrastructurehttps://www.rsaconference.com/blogs/why-it-costs-more-to-protect-your-virtual-infrastructure
Tony BradleyHow Much Will That Phishing Trip Cost You?Tue, 29 Sep 2015 12:00:00 EDT Organizations spend a significant amount of money on security tools. All of the firewalls and antimalware solutions in the world, though, offer little protection against a phishing attack that tricks an authorized user into downloading malicious software or compromising credentials. Phishing attacks are becoming more effective and more costly as time goes on. The Ponemon Institute recently published a report titled <a href="http://info.wombatsecurity.com/hubfs/Ponemon_Institute_Cost_of_Phishing.pdf?t=1440512376911&t=1443108717310">Cost of Phishing and the Value of Employee Training</a> that illustrates the concerning trends behind phishing. Ponemon researchers surveyed 377 IT and IT security professionals from…https://www.rsaconference.com/blogs/how-much-will-that-phishing-trip-cost-youhttps://www.rsaconference.com/blogs/how-much-will-that-phishing-trip-cost-you
Tony BradleyYou Can’t Squeeze Blood From a TurnipWed, 23 Sep 2015 12:00:00 EDT You’ve probably heard the phrase “You can’t squeeze blood from a turnip,” before. The point is that no amount of begging, coercing, pushing, or otherwise coaxing something can yield results if those results simply aren’t possible. Many organizations, however, hand a proverbial turnip to the CISO and expect blood in return. Executive management or the company board have expectations for the CISO. It’s the job of management—and particularly of the board—to wring every last drop of productivity and potential revenue from the resources available and that includes the CISO. It’s fair for an…https://www.rsaconference.com/blogs/you-cant-squeeze-blood-from-a-turniphttps://www.rsaconference.com/blogs/you-cant-squeeze-blood-from-a-turnip
Tony BradleyWhat Do Companies Expect From a CISO?Tue, 15 Sep 2015 12:00:00 EDT The role of CISO is an important one. It must be. It has <em>Chief</em> right in the title. The question, though, is what exactly does a company expect a CISO to do? You can’t meet or manage expectations if you don’t know what they are, and there’s a good chance you won’t keep your CISO job very long if you can’t meet expectations. A CISO is responsible for securing and protecting information assets but the job description is broader than just security. In order to be “C-level” and have a seat at the table of executive management the CISO also has to have a grasp on business vision, finance, and human…https://www.rsaconference.com/blogs/what-do-companies-expect-from-a-cisohttps://www.rsaconference.com/blogs/what-do-companies-expect-from-a-ciso
Tony BradleyTaking Responsibility for Information SecurityWed, 09 Sep 2015 12:00:00 EDT It’s impossible for any one person to manage every aspect of securing the network, endpoints and data of an entire organization. The top of the security chain of command in most cases is the Chief Information Security Officer, though, so ultimately that responsibility falls on the shoulders of the CISO. Security is everyone’s job. Each and every employee within a company has to have some basic security awareness and the common sense not to click on suspicious links or open file attachments from unknown sources. Employees should know better than to send sensitive or confidential material…https://www.rsaconference.com/blogs/taking-responsibility-for-information-securityhttps://www.rsaconference.com/blogs/taking-responsibility-for-information-security
Tony BradleyCriminals Use CEO Emails to Target Companies Thu, 03 Sep 2015 12:00:00 EDT That email from the CEO in your inbox may not be real. Stop and pick up the phone to make sure it's legitimate before you take action. The<a href="http://www.ic3.gov/media/2015/150827-1.aspx" target="_blank"> FBI said cybercriminals stole </a>nearly $750 million from more than 7,000 companies in the United States between October 2013 and August 2015. When you include international victims, total losses from business-to-email attacks exceed $1.2 billion. Attackers, members of organized crime groups operating out of Africa, Eastern Europe, and the Middle East, primarily target businesses that work with foreign suppliers and who regularly conduct wire transfer payments…https://www.rsaconference.com/blogs/criminals-use-ceo-emails-to-target-companieshttps://www.rsaconference.com/blogs/criminals-use-ceo-emails-to-target-companies
RSAC ContributorFive Ways Security Metrics Do More Harm Than Good Mon, 31 Aug 2015 12:00:00 EDT There is no shortage of data out there. Virtually everything with a power source is logging events and churning out data almost constantly—including all of your security tools. That data—your security metrics—can uncover valuable truths about your security posture if used and analyzed properly, but it can also be very misleading or completely useless. Aaron Levenstein is credited with this little <a href="http://www.quotegarden.com/statistics.html">tidbit of wisdom</a>: “Statistics are like bikinis. What they reveal is suggestive, but what they conceal is vital.” The bottom line is that your security metrics can help you uncover issues with your…https://www.rsaconference.com/blogs/five-ways-security-metrics-do-more-harm-than-goodhttps://www.rsaconference.com/blogs/five-ways-security-metrics-do-more-harm-than-good
Tony BradleySecurity Metrics to Drive ChangeMon, 24 Aug 2015 12:00:00 EDT What’s the point, really? You've dedicated terabytes of storage to capture insane volumes of log data, but for what? Yes, you can distill the highlights which make you look good and drop them in your reports. Be warned that those types of vanity metrics don’t provide any real value. Use the right security metrics in the right way, and you can clearly illustrate the issues. And that's how you drive change for your organization. Security metrics give you the tools to change user behavior and to build a case for the kind of changes you want to make to the organization's security posture. Use…https://www.rsaconference.com/blogs/security-metrics-to-drive-changehttps://www.rsaconference.com/blogs/security-metrics-to-drive-change
Tony BradleyIf You Don't Know Where You Are, How Do You Know Where You Are Going?Fri, 21 Aug 2015 12:00:00 EDT Business intelligence and big data analytics are valuable tools for organizations. Collecting and analyzing the right metrics related to current and past performance helps businesses develop effective plans for the future. This is especially true when it comes to securing your network and protecting your data. Think of it like making a trip to the grocery store. You can just walk in and shop. You can make guesses about what items you might be out of or just grab whatever looks good in the moment. When you get home, though, you might find that you’ve wasted a lot of time and money on…https://www.rsaconference.com/blogs/if-you-dont-know-where-you-are-how-do-you-know-where-you-are-goinghttps://www.rsaconference.com/blogs/if-you-dont-know-where-you-are-how-do-you-know-where-you-are-going
Tony BradleyWhat Black Hat and the NFL Have in Common: StrategyWed, 19 Aug 2015 12:00:00 EDT This time of year is a merging of two of my favorite things, Hacker Summer Camp aka BSidesLV, Black Hat and DefCon, and the beginning of the football season. On the surface it might not appear that these things have a lot in common. However, a bit deeper analysis tells us that the strategies employed by your security team and your favorite football team revolve around many of the same principles in order to achieve success.<strong> </strong> If we learned one thing at Black Hat 2015 it’s that our current playbook is not working. Simply put, the bad guys are soundly beating us at our own game and we’ve done a…https://www.rsaconference.com/blogs/what-black-hat-and-the-nfl-have-in-common-strategyhttps://www.rsaconference.com/blogs/what-black-hat-and-the-nfl-have-in-common-strategy
Eric CowperthwaiteSecurity Awareness as the Front Line of Defense Thu, 13 Aug 2015 12:00:00 EDT People still fall for phishing scams, open up attachments on spam messages, and visit websites claiming to have exclusive video footage of the latest scandal <em>du jour</em>. The average person’s ability to stay safe online hasn’t really changed. We are bombarded almost daily about the latest data breaches. Many of us have had our credit cards replaced, not just once, but maybe even twice or three times, because of breaches at our favorite retailers and brands. The average Internet user is much more aware of how criminals are stealing identities and personal information, but that hasn’t really…https://www.rsaconference.com/blogs/security-awareness-as-the-front-line-of-defensehttps://www.rsaconference.com/blogs/security-awareness-as-the-front-line-of-defense
Fahmida Y. RashidCISO Guide to Being an Effective Security LeaderMon, 10 Aug 2015 12:00:00 EDT With all the data breaches and security headlines of the past year, it was inevitable that the role of the CISO would become much more visible. Organizations are increasingly hiring CISOs or creating senior-level security positions, but there is still a lot of confusion about what <a href="http://www.rsaconference.com/blogs/a-note-on-cisoproblems" target="_blank">a CISO actually does</a>. The job description has changed from mitigating exposure and securing the perimeter, to one of quantifying and managing risk as well as enabling business goals. The job description also depends on the organization’s size and complexity, as well as the scope of overall duties. For smaller…https://www.rsaconference.com/blogs/ciso-guide-to-being-an-effective-security-leaderhttps://www.rsaconference.com/blogs/ciso-guide-to-being-an-effective-security-leader
Fahmida Y. RashidPeers Talk About MindfulnessTue, 04 Aug 2015 12:00:00 EDT <em><a href="http://www.rsaconference.com/speakers/jennifer-minella" target="_blank">Jennifer Minella,</a> VP of Engineering at Carolina Advanced Digital, led security and risk professionals in a discussion about <a href="/events/us15/agenda/sessions/1958/mindfulness-leadership-from-within" target="_blank">mindfulness and leadership</a> as part of the Peer-to-Peer discussion at RSA Conference 2015 in San Francisco. Below is Minella's notes from the session. </em> The idea of this P2P was that we can affect change in the workplace around us, and sharing ways to go about that. In the end though, I think the whole of the group realized change starts within, and once each of us/them gets a handle on a personal culture and series of mental habits – that will creep, leak, and seep in to…https://www.rsaconference.com/blogs/peers-talk-about-mindfulnesshttps://www.rsaconference.com/blogs/peers-talk-about-mindfulness
RSAC ContributorYour Security Posture is Only as Good as Your Security AwarenessWed, 29 Jul 2015 12:00:00 EDT Everyone knows they’re not supposed to open file attachments or click on links in unsolicited emails, right? At this stage in the game after all those headlines, it’s tempting to assume everyone has gotten the memo. Everyone exercises a healthy dose of cautious skepticism when online. Wrong. The average user is definitely better educated about security risks and potential threats than he or she was a few years ago, but attackers are agile and prolific. Innovative new exploits and attack vectors emerge all the time and it’s unreasonable to expect users to be invested enough to stay on top of…https://www.rsaconference.com/blogs/your-security-posture-is-only-as-good-as-your-security-awarenesshttps://www.rsaconference.com/blogs/your-security-posture-is-only-as-good-as-your-security-awareness
Tony Bradley